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<doc> 

<regexp-query> 

<name>Possible SGID Exploit</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

^nsx t ^ 

<line>.*exec args=. *pid=\ ( <\d+) \) ; ppid-\(\d+\) ; uid=\(\d+\); euid= 
\(\d+\); gid=\( tl-9]\d*\) ; egid=\ (0\) . *</line> 
</next> 

^riGxt ^ 

<line>.*args=\{[\-\w\\\/ ]+\); pid=\ ( \d+\) ; ppid«\ . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=A(<[\-\w\\\/ ] +) \ ) . *ppid=\ (%1%\) . *</lme> 

<action> 

<highlight/> 
<delete/> 

<varop var= H agg">%l%</varop> 

</action> 

</actionpair> 
</procmatch> 
<annotation> 

<text>Possible SGID Exploit: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name>Possible SUID Exploit</name> 
<properties> 

<priority>10< /priority> 
</properties> 
<pattern> 

<UneJ.*exec args-.*pid-\( (\d + ) \> ; ppid-\ <\d+\) ; uid-\< [1-9] \d*\) ; 

euid=\{0\) . *</line> 
</next> 
^nsx t ^ 

<line>.+args=\(.+\); pid-\(\d+\>; ppid=A <%1%\) - *</line> 

</next> 
</pattern> 
<procmatch> 

<aCtl °<?iie>.*args=\(.+)\); pid-\(\d+\); ppid=\ (%1%\> .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= M agg">%l%</varop> 
</action> 

</procmatch> 
<annotation> 

<text>Possible SUID Exploit: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>All Processes</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 



</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>. *args=\ ( ( [\-\. \w\\\/ ] +) \) . 
<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 



<next> 
<line>. * 



proclog . *args=\ < ( [ \-\ . \w\\\/ ] +) \ ) . *</line> 




<doc> 

<regexp-query> 

<name>Find Processes ... </name> 

<properties> 

<priority>10</priority> 

</properties> 

<args> 

<args>.+</args> 

<pid>\d+</pid> 

<ppid>\d+</ppid> 

<uid>\d+</uid> 

<euid>\d+</euid> 

<gid>\d+</gid> 

<egid>\d+</egid> 
</args> 
<pattern> 

<next> t . , v /« • \ 

<line>.*args-\(%args%\); pid=\ (%pid%\) ; ppid-\ (%ppid%\) , 

uid=\(%uid%\); euid=\(%euid%\); gid=\ (%gid%\) ; egid=\ (%egid%\) . *</line> 
</next> 
</pattern> 
rl <procmatch> 
^1 <actionpair> 

<line>.*args=\((.+)\); pid.*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= M agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Process started: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name>All Shell-spawned Processes</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<next> 

<line>.*exec args=\ (-sh\) ; pid=\ ( (\d+) \) . *</line> 
</next> 

<next> t . 

<line> . *args=\ ( ( [\-\w\\\/ ] +) \) . *ppid=\ (%1%\) - *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*args=\(([\-\w\\\/ ]+) \) . *ppid=\(%l%\) -*</line> 
<action> 

<highlight/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
=f </procmatch> 
<annotation> 

Hi <text>Executed from a shell: %agg%</text> 

£ </annotation> 
\=h </regexp-query> 
\\ </doc> 
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<doc> 

<regexp-query> 

<name>Incoming Connect ions</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<next> 

<line>. *incoming connection f rom=\ ( . +\) . *</line> 

</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line> . *incoming connection f rom=\ ((-+):(-+) \ ) 

to=\( (.+) : (-+)\) .*</line> 
<action> 

<highlight/> 
<delete/> 

<varop var= "f romip">%l%</varop> 
<varop var= "f romport ">%2%</varop> 
<varop var= n toip">%3%</varop> 
<varop var= "toport">%4%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Incoming Connection From IP: %fromip% (on port: %f romport% ) To 
IP: %toip% (on port: %toport% ) </text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Keystrokes Entered</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<Une>.*read stream data, id=\((\d + )\> data=\ ( . +\) • *</line> 

</next> 

rin^^ad^rea, data, id=\(%l%\) data=\ , . *W>[.d4] . *\) • *</line> 

</next> 
</pattern> 
<procmatch> 

<aCti °<??ne>.*read stream data, id=\(%l%\) data=\ ( ( . + ) \) • *</Une> 

<action> 

<highlight/> 
<delete/> 

<varop var= n agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Keystrokes Entered: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 
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<doc> 

<regexp-query> 

<name>Screen Output</name> 

<properties> 

<priority>10</priority> 

</properties> 
<pattern> 

<Sne>.*write stream data, id=\((\d+)\) data=\ ( . +\) • *</line> 

</next> 

<next fromprev="l ,, > 

<line>. *write stream data, id=\(%l%\) 
data=A(.*\\0[ad46] .*\) .*</line> 

</next> 
</pattern> 
<procmatch> 

<aCti °<Une>.*write stream data, id=\(%l%\) data-\ < ( . + > \> . *</Une> 

<action> 

<highlight/> 
<delete/> 

<varop var="agg">%l%</varop> 
</action> 
</actionpair> 
</procmatch> 
<annotation> 

<text>Output to screen: %agg%</text> 

</annotation> 
</regexp-query> 
</doc> 



<doc> 

<regexp-query> 

<name>Find Monitored</name> 

<properties> 

<priority>10</priority> 

</properties> 

<args> 

<file__name>.+</file - name> 
<pid>\d+</pid> 

</args> 
<pattern> 

<lS>.*monitored file opened name=\ (%f ile_name%\) 

pid=\(%pid%\) .*</line> 
</next> 
</pattern> 
<procmatch> 

<actionpair> 

<line>.*monitored file opened name=\( (.+) \) 

pid=\((.+)\) -*</line> 

<action> 

<highlight/> 
<delete/> 

<varop var= n filename">%l%</varop> 
<varop var="pidvar">%2%</varop> 
</action> 
</actionpair> 
</procmatch> 

<annotation> F _ ie %filename% {from pid: %pidva r%) </text> 

</annotation> 
</regexp-query> 
</doc> 



